OpenSSL affected by "Heartbleed" zero-day vulnerability

A new security flaw affecting OpenSSL, the popular cryptographic library used by many websites, has been discovered and is reported to be very serious.

According to the Heartbleed website, the zero-day vulnerability found in OpenSSL affects the stable version 1.0.1 and the 1.0.2 beta version. Older versions of OpenSSL such as 0.9.8 used in Mac OS and iOS and 1.0.0 are not vulnerable to "Heartbleed". Although the vulnerability has been addressed in OpenSSL's version 1.0.1g, it is present in prior versions up to 1.0.1f. Exploiting this flaw, hackers can obtain primary and secondary SSL keys in addition to directly hijacking data being transferred over HTTPS.

Some web companies such as CloudFlare which provides security services for other websites, have used methods recommended by OpenSSL and patched the "Heartbleed" flaw but the methods are not ready for broad deployment according to a report from ZDNet.

Open source firms Red Hat, Debian, SuSE, Canonical, and Oracle are reportedly working hard to patch the OpenSSL vulnerability in their operating systems and are expected to release the patches in 12 hours. Administrators are advised to deploy these patches for operating systems and network equipment as soon as they are made available by manufacturers and software developers.

Source: Heartbleed via ZDNet | Image via Threat Post

Report a problem with article
Previous Story

Microsoft gets clearance from Chinese authorities to purchase Nokia's devices division

Next Story

Microsoft streaming season premiere of 'Game of Thrones' free on Xbox Video

23 Comments

Commenting is disabled on this article.

Was gonna set up a server... now I have to put it on hold again till the community recompile Apache with an updated SSL

That only applies if it's statically linked which it won't be... you just need an updated openssl package which exist for all major distributions already

well yea... the services load the libs when they start. you need to restart them to get them to re-load the updated ones from disk

guitmz said,
indeed! at least we dont have to reboot the entire server

Actually in cases like this, it might make sense to simply reboot the server. Other services might still run that used the library. Not only webservers do SSL.

centos updated to 1.0.1e here (official RH patched release) but still says im vulnerable.. gotta dig this deeper

guitmz said,
centos updated to 1.0.1e here (official RH patched release) but still says im vulnerable.. gotta dig this deeper

Don't forget patching the hole alone might not be enough. There is a considerable chance that if someone exploited the vulnerability against your server, that he or she obtained your private key.

Just to be sure, recreate your private key and request a new certificate, revoke the old one.

Well at least it was patched ASAP and has only been around for a couple of months. Unlike that SSL bug in Apples operating systems that was present since 2012.

The one thing I love about open source software is that even though you can see all the code, it ends up more secure with all the eyes looking over it, and mistakes are caught much more quickly.

Ad Man Gamer said,
The one thing I love about open source software is that even though you can see all the code, it ends up more secure with all the eyes looking over it, and mistakes are caught much more quickly.

Not necessarily.. there have been vulnerabilities that have gone unnoticed for years.

Max Norris said,

Not necessarily.. there have been vulnerabilities that have gone unnoticed for years.

In some cases, 20+ years.

bits said,
Pretty sure this bug has existed, unnoticed, since March 2012.

It has. Luckily most servers and whatnot rely on old STABLE releases of openssl (0.9.8 series) so aren't affected.

Ad Man Gamer said,
Well at least it was patched ASAP and has only been around for a couple of months. Unlike that SSL bug in Apples operating systems that was present since 2012.

The one thing I love about open source software is that even though you can see all the code, it ends up more secure with all the eyes looking over it, and mistakes are caught much more quickly.

While there is some truth to that, it really comes down to how active a project is. There are a lot of crappy open source projects out there with limited to no support and almost no one looking at the code. The fact that they are open source doesn't help unless a company with resources decides to adopt them. OpenSSH is probably the 2nd most used Open Source project in the world, only beet my the Linux Kernel itself (this is my guess, not based on facts.) Of course it has a lot of eyes on it.

Edited by sphbecker, Apr 8 2014, 3:50pm :

n_K said,

It has. Luckily most servers and whatnot rely on old STABLE releases of openssl (0.9.8 series) so aren't affected.

I wouldn't be so sure, CentOS 6.5 that I have running here WAS affected, so was RHEL 6.5 as both had openssl 1.0.1.x installed via official yum repositories. This is enterprise Linux stuff..

Ubuntu and Debian, same problem.

I am now rebooting both servers after the fix has been applied, now I need to get new certificates just in case.


https://twitter.com/WarrenGuy/.../453510021930680320/photo/1

Also this flaw has been in the code for over two years, so even in open source flaws like these can go unnoticed for such amount of time. Further making the open versus closed source discussion useless. When people code, errors are made, it is that simple.

I just go back replacing a bunch of certificates now :)


Humm on closer inspection, right you are. I did a test on my servers earlier (all running 1.0.1e from 2013 on arch) and it said none were vulnerable. Just updated them now, but 1.0.1e is apparently vulnerable :s

I see. I saw that it didn't affect 1.0.0 or below, and i checked the release notes for 1.0.0 and saw that the last update was on 06-Jan-2014, and asumed that 0.1 and 0.2 came along after this time. But now i see that 1.0.1 has been around for a while, and that 0.1 and 0.2 are active along side 0.0 and was not retired as the newer versions came out.

My bad people. I retract my statement, and my previous analysis.